Monthly Archives: April 2012

Earlier this week I got into a bit of a tiff with another writer about whether lawyers should be to encrypting their email to meet their ethical obligations. The writer works for Zix Corporation, an encryption service company, and his article was published by Attorney at Work, who often publishes information about new technologies provided by the vendors. But this article wasn’t clearly pitching Zix’s services, it was cautionary tale about the security requirements lawyers should be using to meet ethical requirements. A colleague even called the article to my attention because she was concerned that she wasn’t encrypting her email – she missed the author’s bio at the end.

While the Zix article posits that lawyers risk ethical violations by sending unencrypted email, my reading of the few related ethics opinions doesn’t go so far. In fact, while two states, California and North Carolina, bring up that encryption might be something lawyers should consider using, they fall very short of stating that unencrypted email is dangerously insecure and that lawyers must encrypt. In fact, the ABA hasn’t changed its opinion from 1999 which is that there is a reasonable expectation of privacy in unencrypted email.

On the other hand, the ILTSO, the International Legal Technical Standards Organization, has definite opinions on technical security and they not only say that encryption is required for client data being communicated through the public internet, but they recommend encryption bit thresholds, verification by unexpired third party certificates and making sure that encryption is truly end-to-end.

In this action packed week, I went to a CLE program this morning put on by a prominent Denver law firm entitled “Privilege and Preservation in the Corporate Setting; Practical Tips for Avoiding Communication Pitfalls in the Digital Age.” Fantastic, I thought. I’ll find out what the latest law really is on this subject. When it became clear that the speaker wasn’t going to address encryption in her talk, I asked the question: “Should email be encrypted to preserve the attorney-client privilege?” I didn’t mean to throw the speaker but I did. She said she didn’t know of any court using it to declare whether a communication was privileged or not but didn’t believe a court would invalidate the privilege because a lawyer failed to encrypt an email (and I would trust Zix to point out those cases if there were any). Then I asked whether she knew if many lawyers encrypted their email and she didn’t.

But, I would still like to know! I invite you to comment. Please answer the following questions:

Do you regularly send or receive encrypted email to your clients or outside counsel?

If you do not, have you considered it and why did you decide not to?

If you do, what do your clients think about it?

Promise: If you say no, I will not send your contact data to any ethical committees or encryption providers.

As I’ve been looking into the issues around lawyers putting client data in the cloud, I’ve run into a fair amount of (quasi?) scholarly work on the issue. There are several organizations that have published advice on the subject, including ILTSO, ILTAand ISACA. The primary source materials come from the ABA and various state bar Ethics Committees. So far, case law is very limited, dealing more with maintaining the attorney-client privilege with email and the discoverability of client data that someone else put in the cloud. Your malpractice insurance provider may have something to say about it. And then law practice management vendors publish “White Papers” that describe why their product is a great solution for your practice.

It’s a lot of fairly complex data and it doesn’t all agree. I’ve written a couple of articles for local Colorado legal publications on how the Ethics Committees are approaching the issue. But, so far their advice has been vague and unrealistic. Clearly the users of the many law practice management systems out there (not to mention gmail, Dropbox or Docs to Go users) haven’t been paying attention to them. And until one of them has a big security breach and clients start grieving, no one will – which doesn’t mean lawyers shouldn’t care what the Ethics Committees think. It’s just that the committees aren’t very helpful for lawyers trying to make an educated decision, or use “reasonable precautions” as the opinions require.

I’ve found that some of the organizations give more practical advice. But, the reader still needs to appreciate who is involved in giving that advice. ILTA, the International Legal Technology Association, has some informative publications. It’s important to know, however, that they are provided or sponsored by the vendors of the services they are evaluating. It’s a trade organization, or as it describes itself, a ‘networking organization’.

In contrast, ILTSO, the International Legal Technical Standards Organization, has some of the same membership as the ILTA, but is focused on providing lawyers with standards that they can use to self assess their security compliance. Their standards for client data security are specific and clear, if perhaps beyond what most lawyers are doing today.

ISACA, the Information Systems Audit and Control Association, has a broader audience than just the legal profession. And think about it, other types of businesses, including health care and financial services, have many more technical security requirements to follow than lawyers. It is an independent organization that provides certification in auditing and security. ISACA has issued guidelines on adopting cloud use that lawyers can apply to the business of practicing law which shed light on the risks and rewards of this advanced technology.

Finally, a few words about white papers. The purpose of a white paper is to help you make a decision, so the author is important. They are rarely impartial. A commercial white paper is written to persuade you to choose that vendor’s product. They aren’t false, or they would be prohibited by the FTC rules on false advertising. But they are marketing materials. Think of it like a brief. It may cite cases and ethics opinions. It may also conveniently ignore various issues. Trade associations and standards organizations also have agendas. To the extent their white papers help prod vendors and users towards better practices, I trust them more. If ethics committees considered the advice of the standards organizations when they issue their opinions (and maybe they did, but it’s not apparent), they would be more practical and helpful.